Blackberry ENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES Guida Utente

BlackBerry Enterprise SolutionVersion: 5.0 | Service Pack: 1Security Technical Overview

21 Glossary...

Process flow: Turning on two-factor authentication using a smart cardWhen you or a user turns on two-factor authentication with the BlackBerry® Smart

Two-factor content protectionContent protection is designed to encrypt data on a BlackBerry® device when the BlackBerry device is locked. When you con

Protecting Bluetooth connections on a BlackBerry deviceBluetooth® wireless technology permits a Bluetooth enabled BlackBerry® device to open a wireles

Wi-Fi enabled BlackBerry devices16Wi-Fi® enabled BlackBerry® devices permit users with qualifying data plans to access BlackBerry services over a mobi

Type Descriptionhome Wi-Fi networks A home Wi-Fi network uses a single access point to provide Internet access througha broadband gateway. The broadba

Feature DescriptionBlackBerry transport layer encryption BlackBerry transport layer encryption is designed to encrypt messages that theBlackBerry devi

Feature Descriptionwireless software updates Wireless software updates permits users to update the BlackBerry® Device Softwarewithout using the BlackB

How an SSL connection between a Wi-Fi enabled BlackBerry device and the BlackBerryInfrastructure protects dataAn SSL connection between a Wi-Fi® enabl

• SSL_DH_anon_WITH_3DES_EDE_CBC_SHA• SSL_RSA_EXPORT_WITH_RC4_40_MD5• SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA• SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA• SSL_

Managing how a BlackBerry device connects to an enterprise Wi-Fi networkTo manage how a Wi-Fi® enabled BlackBerry® device connects to an enterprise Wi

Overview1BlackBerry Enterprise Solution securityThe BlackBerry® Enterprise Solution consists of various products and components that are designed to e

After you configure a VPN, the BlackBerry device can use a layer 2 security method to connect to the enterprise Wi-Fi network,and use the VPN to provi

Using a captive portal to connect to an enterprise Wi-Fi network or Wi-FihotspotA captive portal uses web-based authentication to permit a Wi-Fi® enab

• permit the user to specify the software token PIN• configure the RSA SecurID to automatically generate and send a software token PIN to a Wi-Fi® ena

Layer 2 security methods that a Wi-Fi enabled BlackBerrydevice supports17You can configure a Wi-Fi® enabled BlackBerry® device to use security methods

PSK protocolThe IEEE® 802.1X™ standard specifies the PSK protocol as an access control method for enterprise Wi-Fi® networks. You canalso use the PSK

Process flow: Authenticating a Wi-Fi enabled BlackBerry device with an enterprise Wi-Finetwork using the IEEE 802.1X standardIf you configured a wirel

PEAP authenticationPEAP authentication permits a Wi-Fi® enabled BlackBerry® device to authenticate with an authentication server and access anenterpri

EAP-FAST authenticationEAP-FAST authentication uses PAC to open a TLS connection to a Wi-Fi® enabled BlackBerry® device and verify the supplicantcrede

• EAP-TTLS authentication• PEAP authentication• PSK authenticationFor more information about AES-CCMP and TKIP, visit www.ieee.org/portal/site.EAP aut

Protecting a third-party application on a BlackBerry device18Creating a third-party application for a BlackBerry deviceA developer can create a third-

Security features of the BlackBerry Enterprise SolutionFeature Descriptiondata protection The BlackBerry® Enterprise Solution is designed to protect d

• User Authenticator API, which permits the registration of drivers so that a user can unlock the BlackBerry device using two-factor authenticationYou

Permitting a third-party application to encode data on a BlackBerry deviceA developer can use the Transcoder API to create an encoding scheme for data

RIM Cryptographic API19The RIM® Cryptographic API that is on a BlackBerry® device and in the BlackBerry® Java® Development Environment consistsof a Ja

The RIM Cryptographic API supports the ECIES algorithm, with an unlimited key length (160 bits to 571 bits for seeding), as theasymmetric stream encry

Key generation algorithms that the RIM Cryptographic API supportsAlgorithm Key length (bits) TypeDiffie-Hellman 512 to 4096 discrete logarithmDSA 512

Cipher suites for the key establishment algorithm that the RIM Cryptographic API supportsDirect mode SSL Direct mode TLS WTLSDH_anon DH_anon RSA® _768

Limitations of RIM Cryptographic API support for cipher suites for the keyestablishment algorithmThe RIM® Cryptographic API implementation of the TLS

Related resources20Resource InformationBlackBerry Enterprise Server Featureand Technical Overview• understanding BlackBerry® Enterprise Server archite

Resource InformationEnforcing Encryption of Internal andExternal File Systems on BlackBerryDevices Technical Overview• understanding which data items

Glossary213GPPThird Generation Partnership ProjectAESAdvanced Encryption StandardAES-CCMPAdvanced Encryption Standard Counter Mode CBCMAC ProtocolANSI

Architecture: BlackBerry Enterprise SolutionThe BlackBerry® Enterprise Solution consists of various components that permit you to extend your organiza

BlackBerry inter-process protocol encryption encrypts communication between BlackBerry® Enterprise Solution componentsto prevent other parties from vi

code-signing keysCode-signing keys are the keys that are stored on media cards that sign files so that a user can install and run the files ona BlackB

EAPExtensible Authentication ProtocolEAPoLExtensible Authentication Protocol over LANEAP-FASTExtensible Authentication Protocol Flexible Authenticatio

ECMQVElliptic Curve Menezes-Qu-VanstoneECNRElliptic Curve Nyberg RueppelEDEEncryption-Decryption-EncryptionEDGEEnhanced Data Rates for Global Evolutio

General Services AdministrationGSMGlobal System for Mobile communications®HMACkeyed-hash message authentication codeHTTPHypertext Transfer ProtocolHTT

IT policy ruleAn IT policy rule permits you to customize and control the actions that BlackBerry devices, BlackBerry enabled devices, theBlackBerry® D

MIDPMobile Information Device ProfileMMSMultimedia Messaging ServiceMS-CHAPMicrosoft Challenge Handshake Authentication ProtocolNATnetwork address tra

PFSPerfect Forward Secrecypersistent store in flash memoryThe persistent store in flash memory stores data for a BlackBerry device. By default, third-

RFCRequest for CommentsRIM signing authority systemThe RIM® signing authority system is a collection of servers that sign the boot ROM code for a Blac

SRP authenticationSRP authentication is an authentication method that the BlackBerry® Enterprise Server and BlackBerry® Infrastructure useto authentic

Component DescriptionBlackBerry Administration Service The BlackBerry Administration Service is a BlackBerry® Enterprise Servercomponent that connects

WLANwireless local area networkWPAWi-Fi Protected AccessWTLSWireless Transport Layer SecuritySecurity Technical OverviewGlossary138

Provide feedback22To provide feedback on this deliverable, visit www.blackberry.com/docsfeedback.Security Technical OverviewProvide feedback139

Legal notice23©2009 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, SureType®, SurePress™ andrelated trademar

HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONSMAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED

thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separatelicenses and other agr

Component DescriptionBlackBerry Device Software The BlackBerry Device Software consists of applications on a BlackBerry device thatpermit the user to

Component DescriptionBlackBerry® MDS Studio The BlackBerry MDS Studio can be used by your organization's developers to createBlackBerry MDS Runti

Component DescriptionBlackBerry® Smart Card Reader The BlackBerry Smart Card Reader controls access to your organization's sensitivecommunication

New in this release2This document describes the security features that the BlackBerry® Enterprise Server version 5.0 SP1, BlackBerry® DesktopSoftware

Keys on a BlackBerry device3The BlackBerry® Enterprise Solution generates keys that are designed to protect the data that is stored on a BlackBerry de

SWD-847262-1028044248-001

Key DescriptionECC public key The ECC public key encrypts the stored data that the BlackBerry device receiveswhen the BlackBerry device is locked.ephe

State Descriptionpending A pending device transport key is the device transport key that the BlackBerryEnterprise Solution generates to replace the cu

A BlackBerry device stores the device transport keys in a key store database in flash memory. The key store database is designedto prevent a potential

If a user activates the BlackBerry device over the wireless network, the BlackBerry® Enterprise Server and BlackBerry devicenegotiate to select the st

For more information about the ECMQV key exchange algorithm, see NIST: Special Publication 800-56: Recommendation onKey Establishment schemes, Draft 2

To generate the device transport key, the BlackBerry Desktop Software performs the following actions:1. prompts the user to move the cursor2. uses the

c. uses the SHA-1 function to hash the 256 bitsd. generates the device transport key of the BlackBerry device using the first 128 bits of the hashMess

8. uses the pseudo-random bits with AES encryption or Triple DES encryption to generate the message keyFor more information about the DSA PRNG functio

Process flow: Turning on content protection using a BlackBerry Enterprise ServerYou can turn on content protection using a BlackBerry® Enterprise Serv

The content protection key is a semi-permanent key that uses AES-256 encryption. If the user changes the BlackBerry devicepassword, the BlackBerry dev

Contents1 Overview...

Process flow: Generating a principal encryption keyWhen you or a user turns on content protection for device transport keys on a BlackBerry® device fo

Encrypting data that the BlackBerry Enterprise Server anda BlackBerry device send to each other4To encrypt data that is in transit between the BlackBe

A traditional attack tries to exploit data that a cryptographic system stores or transmits. The potentially malicious user tries todetermine the key o

The BlackBerry device masks the round keys with random values and any S-Box masks that the AES algorithm requires to work.Round keys are subkeys that

b. decrypts the email message using the message keyc. decompresses the email messaged. displays the email message to the userProcess flow: Sending an

Managing BlackBerry Enterprise Solution security5Using an IT policy to manage BlackBerry Enterprise Solution securityYou can use an IT policy to contr

Sending an IT policy over the wireless networkIf your organization's environment includes C++ based BlackBerry® devices that are running BlackBer

IT administration command Description• require the BlackBerry device to return to its factory default settings when itreceives this command• specify w

e. uses K to decrypt the content protection keyf. permanently deletes K5. The BlackBerry device performs the following actions:a. selects d randomlyb.

Using a segmented network architecture to prevent the spread of malwareTo help prevent the spread of malware in your organization’s network, you can u

Using IT policy rules to manage BlackBerry Enterprise Solution security... 33Sendi

Best practice DescriptionControl which application on theBlackBerry device can use the GPSfeature.Consider preventing a third-party application or pre

BlackBerry device memory6The BlackBerry® device memory consists of various sections that store user data and sensitive information such as keys. Third

To change when the memory cleaner application runs, you can use IT policies or the BlackBerry device user can turn on or turnoff the memory cleaner ap

Deleting all device data from the BlackBerry device memoryA BlackBerry® device is designed to permanently delete the following data from the NV store,

• You click the Remove user data from current device option in the BlackBerry Administration Service after you connect theBlackBerry device to the Bla

Process flow: Deleting all device data from a BlackBerry deviceThe following actions occur when you or a user delete all device data.1. The BlackBerry

Scrubbing the BlackBerry device heap in RAM when deleting all BlackBerry device dataTo overwrite the BlackBerry® device heap that is in RAM for a Blac

Scrubbing the user files on a BlackBerry device when deleting all BlackBerry device dataIf a BlackBerry® device supports a partition of flash memory t

Protecting data on a BlackBerry device7Encrypting user data on a locked BlackBerry deviceIf you or a BlackBerry® device user turns on content protecti

The BlackBerry device uses the BlackBerry device password to generate an ephemeral key that the BlackBerry device uses toencrypt the content protectio

Process flow: Generating an encryption key for a media card... 5

Encrypting the device transport key on a locked BlackBerry deviceIf you turn on content protection for device transport keys, a BlackBerry® device use

Resetting a BlackBerry device password when content protection is turnedonIf you or a user turns on content protection for a BlackBerry® device that i

Uppercase parameters represent elliptic curve points. Lowercase parameters represent scalars. The elliptic curve group operationsare additive.Paramete

• generate random passwords that are designed to improve password strength• copy passwords and paste them into an application or password prompt for a

How the BlackBerry Attachment Service protects data on a BlackBerry deviceA BlackBerry® device uses the BlackBerry Attachment Service to process an at

code for a BlackBerry device during the manufacturing process, uses an RSA® public key to sign the boot ROM code. The processoris configured during th

Protecting the data that the BlackBerry Enterprise Solutionstores in your organization's environment8Where the BlackBerry Enterprise Server store

• name of each BlackBerry® Enterprise Server• unique SRP authentication keys and unique SRP IDs, or UIDs, that each BlackBerry Enterprise Server uses

Best practice DescriptionMicrosoft SQL Server permits the sa account and, in some cases, other user accountsto access operating system calls based on

Best practice Description• Use Microsoft SQL Server Management Studio to change the account that isassociated with a Microsoft SQL Server service, if

What happens to data that is not delivered because a BlackBerry device is not available on the wireless network...

Protecting communication with a BlackBerry device9Opening a direct connection between a BlackBerry device and a BlackBerryRouterA BlackBerry® Router a

Closing a direct connection between a BlackBerry device and BlackBerry RouterIf a user disconnects a BlackBerry® device from a computer that hosts the

Because the BlackBerry Router protocol can proceed past the point that it detects corrupted data, the BlackBerry Router protocolis unsuccessful at com

b. sends RD and a device transport key identifier (KeyID) to the BlackBerry Enterprise Server3. The BlackBerry Router performs the following actions:a

d. sends yB to the BlackBerry device9. One of the following actions occurs:• The BlackBerry Enterprise Server and BlackBerry device open an authentica

Best practice: Protecting unsecured wireless messaging on the BlackBerrydeviceUnsecured wireless messaging includes SMS text messages, MMS messages, a

Best practice DescriptionRequire a user to verify whether the userwants to send a message.Consider configuring the BlackBerry device so that the user

The BlackBerry MDS security protocol uses a session key to authenticate data that the BlackBerry device sends to the BlackBerryMDS Integration Service

The BlackBerry MDS security protocol uses AES-128 in CBC mode with PKCS #5 padding to encrypt and decrypt data that aBlackBerry device and BlackBerry

What happens to data that is not delivered to a BlackBerry deviceWhat happens to data that is not delivered because the connection between a BlackBerr

Updating the BlackBerry Device Software from an update web site...

Protecting BlackBerry Enterprise Solutioncommunications in your organization's environment10How a BlackBerry Enterprise Server and the BlackBerry

How the BlackBerry Enterprise Solution protects a TCP/IP connection between a BlackBerryEnterprise Server and the BlackBerry InfrastructureAfter a Bla

If the BlackBerry Infrastructure rejects the challenge response, the authentication process is not successful. The BlackBerryInfrastructure and BlackB

Messaging server DescriptionThe BlackBerry Enterprise Server connects to a user’s mailbox in a highly securemanner using the trusted application key.

Process flow: Authenticating the application loader tool or Roxio Media Manager with theBlackBerry Desktop Software using the BlackBerry inter-process

Activating a BlackBerry device11When a user activates a BlackBerry® device, the BlackBerry® Enterprise Solution authenticates the user and associates

4. The BlackBerry Enterprise Server and BlackBerry device use the initial key establishment protocol to generate a devicetransport key and verify it.

Enrolling certificates on a BlackBerry device over thewireless network12You can configure the BlackBerry® Enterprise Server to permit a BlackBerry dev

9. The BlackBerry Enterprise Server sends the certificate chain to the BlackBerry device.10. The BlackBerry MDS Connection Service sends a status upda

9. The BlackBerry Enterprise Server sends the certificate chain to the BlackBerry device.10. The BlackBerry MDS Connection Service sends a status upda

Creating two-factor authentication methods...

8. The BlackBerry Enterprise Server sends the certificate chain to the BlackBerry device.9. The BlackBerry MDS Connection Service sends a status updat

Protecting BlackBerry Device Software updates13Protecting BlackBerry Device Software updates over the wireless networkYou can update the BlackBerry® D

• requires the user to type the BlackBerry device password before the BlackBerry Device Software update process can backup or restore user data• requi

During the update process, a BlackBerry device activates itself automatically over the wireless network so that the user can usea computer that is out

Process flow: Generating a BlackBerry services key that protects cryptographic services dataThe BlackBerry® device uses an ephemeral AES-256 encryptio

Process flow: Restoring cryptographic services data using the BlackBerry Desktop Manageror BlackBerry Application Web Loader1. After the update proces

Extending messaging security to a BlackBerry device14If your organization's messaging environment supports highly secure messaging technology suc

Key DescriptionPGP public key The PGP Support Package for BlackBerry smartphones uses the PGP public key ofthe recipient to encrypt outgoing email mes

The PGP public key of the recipient indicates which encryption algorithm the recipient’s email application supports, and theBlackBerry device is desig

Process flow: Receiving a PGP encrypted messageIf a recipient installs the PGP® Support Package for BlackBerry® smartphones on a BlackBerry device, th

EAP authentication methods that a Wi-Fi enabled BlackBerry device supports... 113LEA

The BlackBerry device user uses the S/MIME private key to decrypt S/MIME-protected messages on the BlackBerry device andto sign, encrypt, and send S/M

Item DescriptionS/MIME private key When a user sends a signed email message or signed PIN message from a BlackBerrydevice, the BlackBerry device hashe

Process flow: Sending an email message using S/MIME encryptionIf a sender installs the S/MIME Support Package for BlackBerry® smartphones on a BlackBe

Process flow: Receiving an S/MIME-encrypted email messageIf a recipient installs the S/MIME Support Package for BlackBerry® smartphones, the BlackBerr

In BlackBerry Enterprise Server version 5.0 or later and BlackBerry® Device Software version 5.0 or later, a BlackBerry deviceuser can encrypt message

The BlackBerry Messaging Agent deletes the Lotus Notes .id file and the plain-text password when the BlackBerry® EnterpriseServer cannot decrypt a mes

Process flow: Receiving an IBM Lotus Notes encrypted message1. A user uses the IBM® Lotus Notes® application on the user’s computer to encrypt a messa

Process flow: Viewing an attachment in a PGP encrypted message or S/MIME-encryptedmessageThe S/MIME Allowed Encrypted Attachment Mode IT policy rule o

Configuring two-factor authentication and protectingBluetooth connections15BlackBerry Smart Card ReaderThe BlackBerry® Smart Card Reader is an accesso

To control how a BlackBerry device can use an Advanced Security SD card, you can use the Force Smart Card Two-FactorAuthentication IT policy rule, For